[Snort-users] False positives due to stream4 issue?

Jason Haar Jason.Haar at ...294...
Tue Apr 29 18:49:05 EDT 2003

On Tue, Apr 29, 2003 at 08:30:11PM -0400, Matt Kettler wrote:
> At 11:50 AM 4/30/2003 +1200, Jason Haar wrote:
> >I've noticed that the FPs I'm getting for "SMTP From comment overflow 
> >attempt"
> >look an entire mail message in one packet. ACID shows me the following:
> Are you using snort 2.0? the rule in 2.0 shouldn't have fired on this. It 
> should also be looking for a pair of closely spaced ( ) characters after 
> the string of <><><><> stuff.

Hmm. You're right. I forgot I've upgraded our "template" IDS to 2.0 but
hadn't pushed it out to the one reporting the FPs...

> In fact, presenting that data in that fashion is pretty much what stream4 
> should be doing (although I'd argue it should have flushed the data through 
> each time your server responded. So it should have appeared as if it were 4 
> packets, regardless of the actual number of IP layer packets, which could 
> be significantly greater).

I think I've been here before. The problem is that I'm expecting Snort to
"magically" differentiate between:

client: -> "MAIL FROM: xxxxxxxxx"
server: -> "OK"
client: -> "RCPT TO........."


client: -> "<ftp-data stream>"
server: -> ACK
client: -> "<ftp-data stream>"
server: -> ACK

...when in fact there is no differences between those two. What I guess I'm
talking about is the need for a whole slew of new preprocessors:
smtp_decode, tls_decode, etc.

So my problem was actually due to some issue in 1.9.1 - running
snortrules-current by the looks of it - whoops.

BTW: the rules download area needs to be updated - no explicit mention of
what rules are for Snort 2.0...


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list